451 Research Security Analyst Garrett Bekker thinks that IT executives' unwillingness to go above and beyond basic compliance is because security tends to be a “grudge spend."

In
a survey of large enterprises, 64 percent of more than 1,100 senior IT executives
believe that simply meeting cybersecurity compliance requirements, as opposed
to striving for best practices, is “very” or “extremely” effective at
preventing data breaches.

This
contradicts many security experts' warnings that compliance standards do not
constitute acceptable levels of cyberthreat prevention. Additional stats from
the survey, detailed in a 2016 “Data Threat Report” issued yesterday by 451 Research and Vormetric, appear to bear out these experts' concerns. Indeed, 61
percent of survey-takers confirmed their organization has experienced a breach
in the past—22 percent within the past year. This 61 percent figure represents
a three percentage point increase over last year's version of the survey. The
percentage of execs that cited compliance as highly effective also rose from 58
percent last year.

“Being
compliant doesn't mean you're secure. I just think old habits tend to die hard
in security and it's going to take some time to educate people that they need
more to do more than just check off compliance boxes,” said 451 Research
Security Analyst and report author Garrett Bekker in an interview with SC Magazine.

Bekker
suggested that in some cases, the apparent unwillingness to go above and beyond
basic compliance is because IT security is a “grudge spend. It's not
necessarily something a CFO wants to spend their money on. It's kind of like
life insurance,” said Bekker. “It's always been tough to get funds allocated to
security because it doesn't necessarily give you a tangible benefit.”

Moreover,
nearly one-third of IT executives said they felt “very” or “extremely”
vulnerable about the safety of their sensitive data. And yet, only 21 percent cited a past data breach as a reason for securing sensitive data, while
only 27 percent cited recent major breaches at competitors like Sony, Home
Depot or Target as motivation.

The two most popular
incentives for spending on IT security were meeting compliance standards and brand
protection (46 percent for both).

On an encouraging note,
the third most commonly cited reason to secure sensitive data was to follow
best practices guidelines. This response experienced the largest year-over-year
increase of any answer, from 39 percent to 44 percent—an indication that some
businesses may be coming around. Also, 58 percent of respondents said that expenditures
to protect against data threats would be at least “somewhat higher” this
year—up from 56 percent in 2015.

Current IT spending
priorities tended to lean toward classic, old-school network defenses (e.g. firewalls and intrusion prevention systems),
which ranked first among intended spending categories at 48 percent. Conversely,
products that directly mitigate theft of data in motion and at rest, such as
encryption and data loss prevention, came in last (40 percent for data-in-motion
defenses, 39 percent for data-at-rest defenses).

While
the report suggests that executives may be spending less on encryption because
their legacy hard drives and servers already have such built-in measures,
“There's still room to do more for cloud applications, big data and IoT—things that
encryption isn't used all that broadly for,” Bekker explained.

The report also found that the biggest internal data threats within business organizations were identified as privileged user accounts such as administrators (58 percent of respondents), and executive management accounts (45 percent, way up from 28 percent last year). Ordinary employees ranked fifth overall, suggesting that it's actually the policy-makers who are most guilty of flouting their own security policies.

A surprisingly high 43 percent of respondents claimed to have “complete knowledge” of the locations of their sensitive data. The report suggests that executives may be “in denial” about just how much sensitive data they have disseminated across their operations.

The biggest barriers inhibiting the adoption of data security are lack of staff (38 percent of respondents) and lack of budget (35 percent), the study found.

Get SC Media delivered to your inbox

Whitepaper of the Day

Newswire

Buzz

I would like to receive relevant information via email from Haymarket Media.

SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.